b'             EVALUATION REPORT\n\n\n         REDACTED FOR PUBLIC RELEASE\n\n Information of Security Risk Evaluation of Region II \xe2\x80\x93 Atlanta GA\n\n\n\n                 OIG-12-A-17         August 27, 2012\n\n\n\n\nAll publicly available OIG reports (including this report) are accessible through\n                              NRC\xe2\x80\x99s Web site at:\n             http:/www.nrc.gov/reading-rm/doc-collections/insp-gen/\n\x0c                                 UNITED STATES\n                         NUCLEAR REGULATORY COMMISSION\n                                  WASHINGTON, D.C. 20555-0001\n\n\n\nOFFICE OF THE\nINSPECTOR GENERAL\n\n\n                                                   August 27, 2012\n\n\n\nMEMORANDUM TO:              R. William Borchardt\n                            Executive Director for Operations\n\n\n\nFROM:                       Stephen D. Dingbaum /RA/\n                            Assistant Inspector General for Audits\n\n\nSUBJECT:                    INFORMATION SECURITY RISK EVALUATION OF\n                            REGION II \xe2\x80\x93 ATLANTA, GA (OIG-12-A-17)\n\n\nAttached is the Office of the Inspector General\xe2\x80\x99s (OIG) evaluation report titled,\nInformation Security Risk Evaluation of Region II - Atlanta, GA.\n\nThe report presents the results of the subject evaluation. The agency agreed with the\nevaluation findings and did not provide comments at the July 13, 2012, exit conference.\n\nPlease provide information on actions taken or planned on each of the\nrecommendations within 30 days of the date of this memorandum. Actions taken or\nplanned are subject to OIG followup as stated in Management Directive 6.1.\n\nWe appreciate the cooperation extended to us by members of your staff during the\naudit. If you have any questions or comments about our report, please contact me at\n415-5915 or Beth Serepca, Team Leader, Security and Information Management Team,\nat 415-5913.\n\nAttachment: As stated\n\x0c                                OFFICIAL USE ONLY \xe2\x80\x93 SECURITY RELATED INFORMATION\n\n\n\n\n                         Information Security Risk Evaluation of\n                                 Region II \xe2\x80\x93 Atlanta, GA\n\n\n\n\n                             REDACTED FOR PUBLIC RELEASE\n\n\n\n\n                               Contract Number: GS-00F-0001N\n                               NRC Order Number: D12PD01191\n\n                                                     August 22, 2012\n\n\n\n\nThe views, opinions, and findings contained in this report are those of the authors and should not be construed as an official Nuclear Regulatory\n                       Commission position, policy, or decision, unless so designated by other official documentation.\n\n                    OFFICIAL USE ONLY \xe2\x80\x93 SECURITY RELATED INFORMATION\n\x0cOFFICIAL USE ONLY \xe2\x80\x93 SECURITY RELATED INFORMATION\n\n\n\n\n        [Page intentionally left blank]\n\n\n\n\nOFFICIAL USE ONLY \xe2\x80\x93 SECURITY RELATED INFORMATION\n\x0c                       OFFICIAL USE ONLY \xe2\x80\x93 SECURITY RELATED INFORMATION\n                                                                 Information Security Risk Evaluation of\n                                                                                 Region II \xe2\x80\x93 Atlanta, GA\n\nEXECUTIVE SUMMARY\n\n\nBACKGROUND\n\n      The U.S. Nuclear Regulatory Commission (NRC) Office of the Inspector General (OIG)\n      tasked Richard S. Carson & Associates, Inc. to perform an information security risk\n      evaluation of the NRC\xe2\x80\x99s regional offices and the Technical Training Center. This report\n      presents the results of the information security risk evaluation for Region II located in\n      Atlanta, Georgia.\n\nOBJECTIVES\n\n      The objectives of the Region II information security risk evaluation were to:\n\n             Perform an independent information security risk evaluation of the NRC IT\n             security program, policies, and practices for compliance with the Federal\n             Information Security Management Act (FISMA) of 2002 in accordance with\n             OMB guidance and Federal regulations and guidelines as implemented at Region\n             II.\n             Evaluate the effectiveness of agency security control techniques as implemented\n             at Region II.\n\nRESULTS IN BRIEF\n\n      Region II has made improvements in its implementation of NRC\xe2\x80\x99s IT security program\n      and practices for NRC IT systems since the previous evaluations in 2003, 2006, and\n      2009. All corrective actions from the previous evaluations have been implemented.\n      However, the Region II IT security program and practices are not always consistent with\n      the NRC\xe2\x80\x99s IT security program, as summarized below.\n\n      Physical and Environmental Security Controls\n\n      All IT equipment in the Region II data center and telecommunications closets is\n      connected to short-term uninterruptible power supplies (UPSs); however, the UPSs are\n      not tested on a regular basis. As a result, Region II does not have assurance the UPSs\n      will perform as expected in the event of a power failure. If a UPS fails during a power\n      failure, equipment may not be shut down in an orderly manner, resulting in possible\n      equipment damage or loss of data.\n\n      Region II key management procedures have not been fully implemented.\n\n\n\n\n                       OFFICIAL USE ONLY \xe2\x80\x93 SECURITY RELATED INFORMATION\n                                               i\n\x0c                      OFFICIAL USE ONLY \xe2\x80\x93 SECURITY RELATED INFORMATION\n                                                                Information Security Risk Evaluation of\n                                                                                Region II \xe2\x80\x93 Atlanta, GA\n\n\n\n\n     Continuity of Operations and Recovery\n\n     Backup procedures are not maintained and kept up-to-date as required. As a result,\n     Region II may not have reliable IT system backup information available if there is a need\n     for system or file recovery.\n\n     IT Security Program\n\n     Some NRC-owned laptops have not been authorized to operate and documentation for\n     regional laptop systems is not up-to-date. As a result, Region II is not fully compliant\n     with NRC requirements for laptop systems. Without up-to-date documentation, Region\n     II laptop systems users may not be aware of their responsibilities with regard to use of\n     these laptops, which could lead to unauthorized use of NRC resources or release of\n     sensitive information.\n\n     Regional IT security program procedures are not kept up-to-date. As a result, steps or\n     processes could be skipped or forgotten if personnel responsible for a particular activity\n     are unavailable. In addition, outdated procedures make it more difficult when training\n     new personnel to handle a specific activity.\n\nRECOMMENDATIONS\n\n     This report makes recommendations to the Executive Director for Operations to improve\n     NRC\xe2\x80\x99s information system security program and implementation of FISMA at Region II.\n     A consolidated list of recommendations appears on page 15 of this report.\n\nAGENCY COMMENTS\n\n     At an exit conference on July 13, 2012, agency officials agreed with the findings and did\n     not provide any changes to the draft report. The agency opted not to submit formal\n     comments.\n\n\n\n\n                      OFFICIAL USE ONLY \xe2\x80\x93 SECURITY RELATED INFORMATION\n                                              ii\n\x0c               OFFICIAL USE ONLY \xe2\x80\x93 SECURITY RELATED INFORMATION\n                                                         Information Security Risk Evaluation of\n                                                                         Region II \xe2\x80\x93 Atlanta, GA\n\nABBREVIATIONS AND ACRONYMS\n\n\nCSO-STD      Computer Security Office Standard\nFISMA        Federal Information Security Management Act\nISSO         Information Systems Security Officer\nIRB          Information Resources Branch\nIT           Information Technology\nITI          IT Infrastructure System\nMD           Management Directive\nNIST         National Institute of Standards and Technology\nNRC          Nuclear Regulatory Commission\nOIG          Office of the Inspector General\nOMB          Office of Management and Budget\nROI          Regional Office Instruction\nSGI          Safeguards Information\nSP           Special Publication\nUPS          Uninterruptible Power Supply\n\n\n\n\n               OFFICIAL USE ONLY \xe2\x80\x93 SECURITY RELATED INFORMATION\n                                       iii\n\x0cOFFICIAL USE ONLY \xe2\x80\x93 SECURITY RELATED INFORMATION\n                                          Information Security Risk Evaluation of\n                                                          Region II \xe2\x80\x93 Atlanta, GA\n\n\n\n\n         [Page intentionally left blank]\n\n\n\n\nOFFICIAL USE ONLY \xe2\x80\x93 SECURITY RELATED INFORMATION\n                        iv\n\x0c                                 OFFICIAL USE ONLY \xe2\x80\x93 SECURITY RELATED INFORMATION\n                                                                           Information Security Risk Evaluation of\n                                                                                           Region II \xe2\x80\x93 Atlanta, GA\n\nTABLE OF CONTENTS\n\n\nExecutive Summary ....................................................................................................... i\nAbbreviations and Acronyms ..................................................................................... iii\n\n1 Background .............................................................................................................. 1\n2 Objectives ................................................................................................................. 2\n3 Findings .................................................................................................................... 2\n  3.1 Physical and Environmental Security Controls ............................................ 3\n            FINDING #1: UPSs Are Not Tested on a Regular Basis............................................................. 3\n            3.1.1 Emergency Power Requirements .................................................................. 3\n            3.1.2 Agency Has Not Fully Met Requirements ..................................................... 3\n            3.1.3 Impact on Region II Operations ..................................................................... 3\n            3.1.4 Physical Access Control Systems ................................................................ 4\n            FINDING #2: Key and Combination Management Procedures Need Improvement .................. 4\n            3.1.5 Physical Access Requirements ..................................................................... 5\n            3.1.6 Agency Has Not Fully Met Requirements ..................................................... 5\n            3.1.7 Impact on Region II Operations ..................................................................... 5\n    3.2     Continuity of Operations and Recovery ........................................................ 6\n            3.2.1 Region II Servers ............................................................................................ 7\n            FINDING #3: Backup Procedures Are Not Up-to-Date .............................................................. 7\n            3.2.2 Backup Requirements .................................................................................... 7\n            3.2.3 Agency Has Not Fully Met Requirements ..................................................... 8\n            3.2.4 Potential Risk of Data Loss ........................................................................... 9\n    3.3     Information Technology Security Program ................................................... 9\n            3.3.1 Region II Laptop Systems .............................................................................. 9\n            FINDING #4: Some Laptops Are Not Authorized To Operate and Documentation for\n                 Regional Laptop Systems Is Not Up-to-Date ..................................................................... 10\n            3.3.2 Laptop System Requirements ..................................................................... 10\n            3.3.3 Agency Has Not Fully Met Requirements ................................................... 11\n            3.3.4 Impact on Region II Operations ................................................................... 12\n            3.3.5 Regional Procedures and Instructions ....................................................... 12\n            FINDING #5: Regional IT Security Program Procedures Are Not Kept Up-to-Date ............... 12\n            3.3.6 Requirements for Updating Procedures ..................................................... 13\n            3.3.7 Agency Has Not Fully Met Requirements ................................................... 13\n            3.3.8 Impact on Region II Operations ................................................................... 13\n4 Consolidated List of Recommendations ............................................................. 15\n5 Agency Comments ................................................................................................ 17\n\nAppendix.               OBJECTIVES, SCOPE, AND METHODOLOGY ......................................... 19\n\n\n\n                                 OFFICIAL USE ONLY \xe2\x80\x93 SECURITY RELATED INFORMATION\n                                                         v\n\x0cOFFICIAL USE ONLY \xe2\x80\x93 SECURITY RELATED INFORMATION\n                                          Information Security Risk Evaluation of\n                                                          Region II \xe2\x80\x93 Atlanta, GA\n\n\n\n\n         [Page intentionally left blank]\n\n\n\n\nOFFICIAL USE ONLY \xe2\x80\x93 SECURITY RELATED INFORMATION\n                        vi\n\x0c                             OFFICIAL USE ONLY \xe2\x80\x93 SECURITY RELATED INFORMATION\n                                                                       Information Security Risk Evaluation of\n                                                                                       Region II \xe2\x80\x93 Atlanta, GA\n\n1       Background\n\nThe U.S. Nuclear Regulatory Commission (NRC) has four regional offices that conduct\ninspection, enforcement, investigation, licensing, and emergency response programs for nuclear\nreactors, fuel facilities, and materials licensees. The regional offices are the agency\xe2\x80\x99s front line\nin carrying out its mission and implementing established agency policies and programs\nnationwide. The Region II office oversees regulatory activities in the southeastern United States,\nis located in Atlanta, Georgia, and operates under the direction of a Regional Administrator. The\nregion covers a 10-State area, including 8 States with nuclear power plants. Region II also\nincludes Puerto Rico and the U.S. Virgin Islands. Region II oversees commercial nuclear fuel\nprocessing facilities in Illinois and Ohio, which are located in Region III, as well as New Mexico\nand Washington, which are located in Region IV. Region II also handles all construction\ninspection activities for all new nuclear power plants and fuel cycle facilities, regardless of\ngeographical location.\n\nOffice of Management and Budget (OMB) Circular A-130, Management of Federal Information\nResources, Appendix III, Security of Federal Automated Information Resources, requires\nagencies to implement and maintain an information technology (IT) security program, including\nthe preparation of policies, standards, and procedures. An effective IT security program is an\nimportant managerial responsibility. Management establishes a positive climate by making\ncomputer security a part of the information resources management process and by providing\nsupport for a viable IT security program.\n\nOn December 17, 2002, the President signed the E-Government Act of 2002, which included the\nFederal Information Security Management Act (FISMA) of 2002. 1 FISMA outlines the\ninformation security management requirements for agencies, which include an annual\nindependent evaluation of an agency\xe2\x80\x99s information security program2 and practices to determine\ntheir effectiveness. This evaluation must include testing the effectiveness of information security\npolicies, procedures, and practices for a representative subset of the agency\xe2\x80\x99s information\nsystems. The evaluation also must include an assessment of compliance with FISMA\nrequirements and related information security policies, procedures, standards, and guidelines.\nFISMA requires the annual evaluation to be performed by the agency\xe2\x80\x99s Office of the Inspector\nGeneral (OIG) or by an independent external auditor.3\n\nNRC maintains an IT security program to provide appropriate protection of information\nresources. In this regard, the role of the NRC OIG is to provide oversight of agency programs,\n\n1\n  The Federal Information Security Management Act of 2002 was enacted on December 17, 2002, as part of the\n  E-Government Act of 2002 (Public Law 107-347) and replaces the Government Information Security Reform Act,\n  which expired in November 2002.\n2\n  NRC uses the term \xe2\x80\x9cinformation security program\xe2\x80\x9d to describe its program for ensuring that various types of\n  sensitive information are handled appropriately and are protected from unauthorized disclosure in accordance with\n  pertinent laws, Executive orders, management directives, and applicable directives of other Federal agencies and\n  organizations. For the purposes of FISMA, the agency uses the term IT security program.\n3\n  While FISMA uses the language \xe2\x80\x9cindependent external auditor,\xe2\x80\x9d OMB Memorandum M_04-25, FY 2004\n  Reporting Instructions for the Federal Information Security Management Act, clarified this requirement by stating\n  that \xe2\x80\x9cWithin the context of FISMA, an audit is not contemplated. By requiring an evaluation but not an audit,\n  FISMA intended to provide Inspectors General some flexibility\xe2\x80\xa6\xe2\x80\x9d\n\n\n                             OFFICIAL USE ONLY \xe2\x80\x93 SECURITY RELATED INFORMATION\n                                                     1\n\x0c                         OFFICIAL USE ONLY \xe2\x80\x93 SECURITY RELATED INFORMATION\n                                                                   Information Security Risk Evaluation of\n                                                                                   Region II \xe2\x80\x93 Atlanta, GA\n\nincluding the IT security program in support of the NRC goal to ensure the safe use of\nradioactive materials for beneficial civilian purposes while protecting people and the\nenvironment.\n\nIn support of its FISMA obligations, the NRC OIG tasked Richard S. Carson & Associates, Inc.\nto perform an information security risk evaluation of the NRC\xe2\x80\x99s regional offices and the\nTechnical Training Center to evaluate IT security programs in place at those locations, to include\nan assessment of physical security weaknesses in protecting the IT security program, and to\nidentify existing problems and make recommendations for corrective actions.\n\nThe information security risk evaluation focused on the following elements of the NRC\xe2\x80\x99s IT\nsecurity program, policies, and practices:\n\n       Physical and Environmental Security Controls.\n       Logical Access Controls.\n       Configuration Management.\n       Continuity of Operations and Recovery.\n       IT Security Program.\n\nThis report presents the results of the information security risk evaluation for Region II. A\nconsolidated list of recommendations appears on page 15.\n\n2      Objectives\n\nThe objectives of the Region II information security risk evaluation were to:\n\n       Perform an independent information security risk evaluation of the NRC IT security\n       program, policies, and practices for compliance with FISMA in accordance with OMB\n       guidance and Federal regulations and guidelines as implemented at Region II.\n       Evaluate the effectiveness of agency security control techniques as implemented at\n       Region II.\n\nThe appendix contains a description of the evaluation objectives, scope, and methodology.\n\n3      Findings\n\nRegion II has made improvements in its implementation of NRC\xe2\x80\x99s IT security program and\npractices for NRC IT systems since the previous evaluations in 2003, 2006, and 2009. All\ncorrective actions from the previous evaluations have been implemented. However, the Region\nII IT security program and practices are not always consistent with the NRC\xe2\x80\x99s IT security\nprogram as defined in Management Directive (MD) and Handbook 12.5, NRC Automated\nInformation Systems Security Program, other NRC policies, FISMA, and National Institute of\nStandards and Technology (NIST) guidance. While many of the Region II automated and\nmanual IT security controls are generally effective, some IT security controls need improvement.\n\n\n\n                         OFFICIAL USE ONLY \xe2\x80\x93 SECURITY RELATED INFORMATION\n                                                 2\n\x0c                         OFFICIAL USE ONLY \xe2\x80\x93 SECURITY RELATED INFORMATION\n                                                                   Information Security Risk Evaluation of\n                                                                                   Region II \xe2\x80\x93 Atlanta, GA\n\nSpecifics on physical and environmental security controls, continuity of operations and recovery,\nand the Region II IT security program are described in the following sections.\n\n3.1    Physical and Environmental Security Controls\n\nOverall, Region II is implementing the physical and environmental security controls described in\nMD and Handbook 12.1, NRC Facility Security Program; MD and Handbook 12.5; and NIST\nSpecial Publication (SP) 800-53, Recommended Security Controls for Federal Information\nSystems. Region II has implemented a number of safeguards to restrict access to the facility,\nincluding visitor access controls and physical access control systems. Fire suppression and\ndetection systems are adequate and meet NRC requirements. Environmental controls are\nsufficient to protect IT equipment from potential hazards. Short-term uninterruptible power\nsupplies (UPSs) provide sufficient power to facilitate an orderly shutdown of IT equipment in the\nevent of a primary power source loss. However, the evaluation team identified issues with\ntesting UPSs and key and combination management procedures.\n\nFINDING #1: UPSs Are Not Tested on a Regular Basis\n\nNIST SP 800-53, physical and environmental control PE-11, emergency power, states that\norganizations should provide a short-term UPS to facilitate an orderly shutdown in the event of a\nprimary power source loss. All IT equipment in the Region II data center and\ntelecommunications closets is connected to short-term UPSs; however, the UPSs are not tested\non a regular basis. As a result, Region II does not have assurance the UPSs will perform as\nexpected in the event of a power failure. If a UPS fails during a power failure, equipment may\nnot be shut down in an orderly manner, resulting in possible equipment damage or loss of data.\n\n3.1.1 Emergency Power Requirements\n\nNIST SP 800-53, physical and environmental control PE-11, emergency power, states that\norganizations should provide a short-term UPS to facilitate an orderly shutdown in the event of a\nprimary power source loss.\n\n3.1.2 Agency Has Not Fully Met Requirements\n\nAll IT equipment in the Region II data center and telecommunications closets are connected to\nshort-term UPSs. However, the UPSs are not tested on a regular basis to ensure they are\noperating and can provide the requisite amount of power necessary to facilitate an orderly\nshutdown of equipment in the event of a primary power source loss. One of the assumptions in\ndeveloping the contingency plan for the Region II Office Support System is that data center\nequipment is connected to UPSs that provide approximately 20 minutes of electricity during a\npower failure.\n\n3.1.3 Impact on Region II Operations\n\nWhile NIST and NRC do not explicitly require periodic testing of UPSs, if UPSs are not\nperiodically tested, Region II does not have assurance the UPSs will perform as expected in the\n\n\n                         OFFICIAL USE ONLY \xe2\x80\x93 SECURITY RELATED INFORMATION\n                                                 3\n\x0c                         OFFICIAL USE ONLY \xe2\x80\x93 SECURITY RELATED INFORMATION\n                                                                   Information Security Risk Evaluation of\n                                                                                   Region II \xe2\x80\x93 Atlanta, GA\n\nevent of a power failure. If a UPS fails during a power failure, equipment may not be shut down\nin an orderly manner, resulting in possible equipment damage or loss of data.\n\nRECOMMENDATION\n\n     The Office of the Inspector General recommends that the Executive Director for Operations:\n\n     1. Develop, document, and implement procedures for testing UPSs on a periodic basis.\n        Procedures should include a means to record the results of such testing.\n\n3.1.4 Physical Access Control Systems\n\nOn April 12, 2010, the Region II office moved to 245 Peachtree Center Ave, NE, Atlanta, GA.\nThese facilities were specifically constructed based upon Region II needs and requirements. One\nof the major requirements was to significantly reduce the number of keyed doors, instead\nselecting to use electronic access controls. As a result of these requirements, the use of keyed\ndoors has been greatly reduced.\n         4\n\n\n\n\nFINDING #2: Key and Combination Management Procedures Need Improvement\n\nMD and Handbook 12.5 provide guidance for key and combination control procedures, including\nthe requirement to establish, document, implement, and enforce effective key and combination\ncontrol procedures. However, Region key management procedures have not been fully\nimplemented.\n\n\n\n\n4\n    \xef\x81\xae\xef\x81\xae\xef\x81\xae\xef\x81\xae\xef\x81\xae\xef\x81\xae\xef\x81\xae\xef\x81\xae\xef\x81\xae\xef\x81\xae\xef\x81\xae\xef\x81\xae\xef\x81\xae\xef\x81\xae\xef\x81\xae\xef\x81\xae\xef\x81\xae\xef\x81\xae\xef\x81\xae\xef\x81\xae\xef\x81\xae\xef\x81\xae\xef\x81\xae\xef\x81\xae\xef\x81\xae\xef\x81\xae\xef\x81\xae\xef\x81\xae\xef\x81\xae\xef\x81\xae\xef\x81\xae\xef\x81\xae\xef\x81\xae\xef\x81\xae\xef\x81\xae\xef\x81\xae\xef\x81\xae\xef\x81\xae\xef\x81\xae\xef\x81\xae\xef\x81\xae\xef\x81\xae\xef\x81\xae\xef\x81\xae\xef\x81\xae\xef\x81\xae\xef\x81\xae\xef\x81\xae\xef\x81\xae\xef\x81\xae\xef\x81\xae\xef\x81\xae\xef\x81\xae\xef\x81\xae\xef\x81\xae\xef\x81\xae\xef\x81\xae\xef\x81\xae\xef\x81\xae\xef\x81\xae\xef\x81\xae\n\n\n\n                         OFFICIAL USE ONLY \xe2\x80\x93 SECURITY RELATED INFORMATION\n                                                 4\n\x0c                         OFFICIAL USE ONLY \xe2\x80\x93 SECURITY RELATED INFORMATION\n                                                                   Information Security Risk Evaluation of\n                                                                                   Region II \xe2\x80\x93 Atlanta, GA\n\n\n\n\n3.1.5 Physical Access Requirements\n\nMD and Handbook 12.5 provide guidance for key and combination control procedures, including\nthe requirement to establish, document, implement, and enforce effective key and combination\ncontrol procedures. Offices are required to create a comprehensive inventory of all keys and\ncombinations related to the security of office areas, systems equipment, and sensitive areas. The\ninventory should include the room number, number of keys, names of individual(s) issued to,\nand date issued. Periodic inventories of all keys should be conducted and recorded and\ninventories should be maintained as official records for 1 year after they are no longer current.\n\n\n\n\n3.1.6 Agency Has Not Fully Met Requirements\n\nRegion II developed the Region II Information Resources Branch Standard Operating Procedure\n\xe2\x80\x93 Key Inventory Process as a result of a recommendation from OIG\xe2\x80\x99s 2009 Region II computer\nsecurity review. This procedure documents key management activities including distribution of\nkeys, replacement keys, other lock and key work, return of keys, and conducting periodic key\ninventories. As part of an internal assessment, Region II has acknowledged that its key\nmanagement procedures have not been fully implemented.\n\n                                                                       Region II has initiated an\ninternal action item using its ticketing system to correct problems identified with its key\nmanagement process.\n\n\n\n\n3.1.7 Impact on Region II Operations\n\n\n\n                                            For example, a key could be issued without recording\n\n\n                         OFFICIAL USE ONLY \xe2\x80\x93 SECURITY RELATED INFORMATION\n                                                 5\n\x0c                          OFFICIAL USE ONLY \xe2\x80\x93 SECURITY RELATED INFORMATION\n                                                                    Information Security Risk Evaluation of\n                                                                                    Region II \xe2\x80\x93 Atlanta, GA\n\ninformation about who was issued the key and when. Documenting these procedures helps\nensure that there is continuity in the key and combination management process in the event of\nstaff turnover. Additionally, documented procedures are excellent for training new personnel\nand an excellent reference for existing personnel.\n\n\n\n\nMD and Handbook 12.5 require combinations to be changed immediately when individuals no\nlonger have a need for access.\n\n\n\n\nRECOMMENDATIONS\n\n      The Office of the Inspector General recommends that the Executive Director for Operations:\n\n      2. Update key management procedures.\n\n\n\n\n      3. Develop, document, and implement combination management procedures.\n\n         a)\n\n\n         b)\n\n\n3.2      Continuity of Operations and Recovery\n\nRegion II procedures for maintaining continuity of operations and recovery are generally\nconsistent with the requirements in MD and Handbook 12.1, MD and Handbook 12.5, NRC\nstandards, and NIST SP 800-53. Region II has documented procedures for backups of seat-\nmanaged servers, backups of NRC-managed servers, and for offsite backup storage. Region II\nhas also developed a site-specific Occupant Emergency Plan and a contingency plan for the\nRegion II Office Support System.\n\n\n\n\n                          OFFICIAL USE ONLY \xe2\x80\x93 SECURITY RELATED INFORMATION\n                                                  6\n\x0c                         OFFICIAL USE ONLY \xe2\x80\x93 SECURITY RELATED INFORMATION\n                                                                   Information Security Risk Evaluation of\n                                                                                   Region II \xe2\x80\x93 Atlanta, GA\n\nHowever, the evaluation team found that backup procedures are not maintained and kept up-to-\ndate as required. As a result, Region II may not have reliable IT system backup information\navailable if there is a need for system or file recovery.\n\n3.2.1 Region II Servers\n\nRegion II is supported by IT equipment that is seat-managed and that is NRC-managed. Core\nregional servers are provided and managed by the seat management contractor and include\ndomain controllers, mail servers, multipurpose servers, a tape server, and virtual servers. These\nsystems contain data utilized by the IT staff, customer data, e-mail accounts, backup tape server\ndatabase files and access control. IT staff data includes software packages, workstation images,\nWeb content, videocast files, and IT shared content. Customer data includes division-shared\nfolders, personal folders, and other files/folders accessed via regional network mapped shares.\nSeat-managed servers are included in the authorization boundary of the IT Infrastructure (ITI)\nsystem. Additional regional servers are owned and managed by Region II and include a Web\nserver, database servers, a backup server, and virtual servers. These systems contain data\nutilized by the IT staff for help desk management and computer imaging files. Data includes\nWeb server data files, content, and configurations. The data also includes any associated\nscripting engines or applications related to the Web server and its configurations. NRC-managed\nservers at Region II are included in the authorization boundary of the Region II Office Support\nSystem.\n\nFINDING #3: Backup Procedures Are Not Up-to-Date\n\nMD and Handbook 12.5, NRC standards, and NIST SP 800-53 detail requirements for backups\nof IT systems. However, Region II has not met all the requirements. Specifically, backup\nprocedures are not maintained and kept up-to-date as required. As a result, Region II may not\nhave reliable IT system backup information available if there is a need for system or file\nrecovery.\n\n3.2.2 Backup Requirements\n\nMD and Handbook 12.5 detail requirements for backups of IT systems, and states that these\nprocedures should be implemented when backing up media to ensure that reliable backups are\navailable if there is a need for system or file recovery. These procedures include, but are not\nlimited to:\n\n       Backup schedule \xe2\x80\x93 outlines the type of backup, the interval for each backup, the storage\n       location, and the number of copies of each backup.\n       Full backups \xe2\x80\x93 performed at least weekly.\n       Incremental (differential) backups \xe2\x80\x93 performed nightly.\n       Location of backups \xe2\x80\x93 at least two full backups maintained. One should remain onsite\n       and a second copy should be removed to an offsite storage facility immediately after its\n       creation.\n\n\n\n\n                         OFFICIAL USE ONLY \xe2\x80\x93 SECURITY RELATED INFORMATION\n                                                 7\n\x0c                        OFFICIAL USE ONLY \xe2\x80\x93 SECURITY RELATED INFORMATION\n                                                                  Information Security Risk Evaluation of\n                                                                                  Region II \xe2\x80\x93 Atlanta, GA\n\n\n       Backup media \xe2\x80\x93 use high-quality media to ensure good quality backups are available for\n       recovery should the need arise.\n       Storage of backups \xe2\x80\x93 store both onsite and offsite backups in a location, cabinet, or safe\n       that is waterproof and fireproof for at least 14 days or as recommended by the agency.\n       Testing of storage \xe2\x80\x93 backups are periodically tested to ensure they can be used effectively\n       to restore sensitive information.\n\nCSO-STD-2002, System Back-up Standard, V1.1, dated December 15, 2010, states backup and\nrecovery procedures are to be developed, documented, approved, maintained, and used for all\nsystems operated by or on behalf of NRC.\n\n3.2.3 Agency Has Not Fully Met Requirements\n\nRegion II has developed backup procedures for both seat-managed servers and NRC-managed\nservers. These procedures are documented in the Information Resources Branch (IRB)-IT-03\nGFE and Contractor Leased Server Backup Procedures, dated March 31, 2011, as well as in\nseparate documents maintained by the seat-management server administrator and the Region II\nserver administrator. As a result of a recommendation from OIG\xe2\x80\x99s 2009 Region II computer\nsecurity review, Region II developed the Region II Information Resources Branch Standard\nOperating Procedure Region II Offsite Backup Storage Procedures.\n\nWhile Region II has developed and documented required backup procedures, there was\nconfusion as to whether the IRB-IT-03 document with the combined procedures was the\n\xe2\x80\x9cofficial\xe2\x80\x9d version, or if the separately maintained procedures should be considered official\nversions. The procedures for backups of NRC-managed servers are the same in the IRB-IT-03\ndocument and in the separate document maintained by the Region II server administrator.\nHowever, the procedures for backups of seat-managed servers in the IRB-IT-03 document were\nnot current and differed from those in the separate document maintained by the seat-management\nserver administrator. The procedures in the separate document maintained by the seat-\nmanagement server administrator are current; however, they do not contain the same level of\ndetail as in the older content found in the IRB-IT-03 document, such as a description of the\nbackup software used, license information for the backup software, a description of the tape\nlibrary, a description of the backup job, the account used to run the backup jobs, and a summary\nof data on each server. The seat-management server administrator also maintains a monthly\nimage of the Citrix servers on the behalf of ITI; however, this process is not documented in any\nprocedures. The Region II server administrator also mentioned the use of shadow copies to\nfacilitate rapid restores without having to get backup tapes from offsite storage; however, this\nprocess is also not documented in any procedures.\n\nThe Region II Offsite Backup Storage Procedures describes the procedures for sending backups\nof seat-managed and NRC-managed servers to an offsite location; however, this document refers\nto outdated versions of backup procedures for these servers.\n\n\n\n\n                        OFFICIAL USE ONLY \xe2\x80\x93 SECURITY RELATED INFORMATION\n                                                8\n\x0c                          OFFICIAL USE ONLY \xe2\x80\x93 SECURITY RELATED INFORMATION\n                                                                    Information Security Risk Evaluation of\n                                                                                    Region II \xe2\x80\x93 Atlanta, GA\n\n3.2.4 Potential Risk of Data Loss\n\nWhile the backup procedures that are currently implemented would minimize data loss in the\nevent of a computer failure, the procedures are not maintained and kept up-to-date as required.\nSoftware performs many of the backups automatically, but someone must periodically change\nthe tapes. The procedures need to be fully documented so that if the primary personnel\nresponsible for backups are unavailable, alternates have the information necessary to follow the\nprocedures. Current and fully documented backup procedures can also be useful when training\nnew employees with responsibilities for performing backups.\n\nAs a result of the failure to meet agency and NIST requirements regarding backups of IT\nsystems, Region II may not have reliable IT system backup information available if there is a\nneed for system or file recovery.\n\nRECOMMENDATIONS\n\n      The Office of the Inspector General recommends that the Executive Director for Operations:\n\n      4. Update backup procedures for NRC-managed servers to include procedures for\n         maintaining shadow copies to support the backup process.\n      5. Update backup procedures for seat-managed servers to include the same level of detail as\n         in the backup procedures for NRC-managed servers and procedures for maintaining a\n         monthly image of the Citrix servers on the behalf of ITI.\n      6. Update offsite backup storage procedures to include correct references to the backup\n         procedures for seat-managed and NRC-managed servers.\n\n3.3      Information Technology Security Program\n\nOverall, Region II is following agency security policies and procedures regarding IT security.\nRegion II has developed regional office instructions that are generally up-to-date and are\navailable on the Region II internal Web site. Staff receive training regarding IT security during\nthe onboarding process and the Information Systems Security Officer (ISSO) sends periodic\ncybersecurity reminders on topics. Users are generally aware of and are following agency and\nRegion II IT security policies and procedures. Region II maintains an inventory of IT systems in\nuse at the region, to include a general support system, two subsystems (applications), and laptops\nprocessing safeguards information (SGI) and classified information.\n\nHowever, the evaluation team found issues with the Region II laptop systems and with keeping\nRegion II IT security program procedures up-to-date.\n\n3.3.1 Region II Laptop Systems\n\nLaptops in use at Region II are either seat-managed laptops or NRC-owned laptops. Seat-\nmanaged laptops in use at Region II include those laptops that are part of the agency\xe2\x80\x99s new work\nfrom anywhere/mobile desktop program. NRC-owned laptops in use at Region II include loaner\n\n\n\n                          OFFICIAL USE ONLY \xe2\x80\x93 SECURITY RELATED INFORMATION\n                                                  9\n\x0c                         OFFICIAL USE ONLY \xe2\x80\x93 SECURITY RELATED INFORMATION\n                                                                   Information Security Risk Evaluation of\n                                                                                   Region II \xe2\x80\x93 Atlanta, GA\n\nlaptops, stationary laptops found in conference rooms, and laptops used to process classified\ninformation or SGI.\n\nFINDING #4: Some Laptops Are Not Authorized To Operate and Documentation for\nRegional Laptop Systems Is Not Up-to-Date\n\nThe NRC Laptop Security Policy, which specifies the requirements for authorization of laptop\nsystems, states that all NRC laptops must be either designated a system or included as part of an\nexisting system. NRC-owned laptops in use at Region II include loaner laptops, stationary\nlaptops found in conference rooms, and laptops used to process classified information or SGI.\nHowever, the evaluation team found that some NRC-owned laptops have not been authorized to\noperate and documentation for regional laptop systems is not up-to-date. As a result, Region II is\nnot fully compliant with NRC requirements for laptop systems. Without up-to-date\ndocumentation, Region II laptop systems users may not be aware of their responsibilities with\nregard to use of these laptops, which could lead to unauthorized use of NRC resources or release\nof sensitive information.\n\n3.3.2 Laptop System Requirements\n\nThe NRC Laptop Security Policy states that all NRC laptops must either be designated a system\nor be included as part of an existing system. All laptops that are not seat-managed are\nconsidered to be organization-managed, i.e., NRC-owned. All NRC-owned laptops that process\nor access classified national security information belong to that office or region\xe2\x80\x99s \xe2\x80\x9cClassified\nLaptop System.\xe2\x80\x9d All NRC-owned laptops that process or access SGI and are not part of the\noffice or region\xe2\x80\x99s \xe2\x80\x9cClassified Laptop System\xe2\x80\x9d belong to that office or region\xe2\x80\x99s \xe2\x80\x9cSGI Laptop\nSystem.\xe2\x80\x9d All NRC-owned laptops that are not part of the office or region\xe2\x80\x99s \xe2\x80\x9cClassified Laptop\nSystem\xe2\x80\x9d or the office or region\xe2\x80\x99s \xe2\x80\x9cSGI Laptop System\xe2\x80\x9d belong to that office or region\xe2\x80\x99s \xe2\x80\x9cGeneral\nLaptop System.\xe2\x80\x9d\n\nThe NRC Laptop Security Policy also specifies the following requirements for authorization\n(formerly referred to as accreditation):\n\n       Laptop systems must meet the requirements provided in the relevant standard security\n       plan. There is a different standard security plan for classified, SGI, and general laptops.\n       Laptop systems must be certified by the system owner as compliant with the relevant\n       laptop system requirements.\n       Laptop systems must be accredited by the appropriate Designated Approving Authority\n       prior to processing any relevant (i.e., classified, SGI, sensitive unclassified) information\n       on the system.\n       Certification of a laptop system requires a system certification memorandum from the\n       laptop system owner. The memorandum must include an enclosure that provides the\n       names and contact information for the: System Owner, Certification Agent, ISSO,\n       Alternate ISSO, and System Administrator.\n\n\n\n\n                         OFFICIAL USE ONLY \xe2\x80\x93 SECURITY RELATED INFORMATION\n                                                 10\n\x0c                         OFFICIAL USE ONLY \xe2\x80\x93 SECURITY RELATED INFORMATION\n                                                                   Information Security Risk Evaluation of\n                                                                                   Region II \xe2\x80\x93 Atlanta, GA\n\n\n       For each laptop or removable hard drive that is part of the laptop system, the enclosure\n       must provide information such as physical storage location, location where system is\n       used, brand, model, tag number, peripherals, etc.\n\n3.3.3 Agency Has Not Fully Met Requirements\n\nRegion II currently has two laptop systems \xe2\x80\x93 a classified laptop system (currently two laptops)\nand an SGI laptop system. The SGI laptop system consists of two separate subsystems \xe2\x80\x93 SGI\nlaptops in use in the Region II office (currently four laptops), and SGI laptops in use at the\nResident Inspector sites (multiple laptops, recently replaced by Safeguards Information Local\nArea Network and Electronic Safe workstations). In 2009, Region II submitted certification\nmemoranda and the required enclosure for authorization of the following laptop systems. These\nsystems were authorized to operate until August 2012.\n\n       Region II Classified Laptop System (2 laptops).\n       Region II SGI Standalone Personal Computer System (four laptops).\n       Region II SGI Laptop System (laptops at Resident Inspector sites).\n\nRegion II is currently in the process of replacing the two classified laptops with four new units\nand the two SGI laptops with two new units.\n\nSome Laptops Are Not Authorized To Operate\n\nRegion II has not established a general laptop system, which would include its loaner laptops and\nstationary laptops found in conference rooms. Region II is evaluating whether to continue to\nmanage these laptops as NRC-owned laptops, or to replace them with seat-managed laptops. If\nRegion II decides to continue to manage these laptops as NRC-owned laptops, then Region II\nwill need to establish a general laptop system and complete the process described in the NRC\nLaptop Security Policy for authorization of the general laptop system.\n\nDocumentation for Regional Laptop Systems Is Not Up-to-Date\n\nThe following Regional Office Instructions (ROI) have been issued to provide an overview of\nthe security requirements, description of security controls, and delineation of the responsibilities\nand expected behavior of all individuals who use laptops that process classified and SGI\ninformation:\n\n       ROI No. 1251, Revision 1, Region II System Security Plan for Processing Classified\n       Information, dated June 4, 2012.\n       ROI No. 1250.1, Region II System Security Plan for Processing Safeguards Information\n       (Laptop Computer System), dated September 10, 2003.\n       ROI No. 1250.2, Region II System Security Plan for Processing Safeguards Information\n       (Removable Hard Drive System), dated September 2003.\n\n\n\n\n                         OFFICIAL USE ONLY \xe2\x80\x93 SECURITY RELATED INFORMATION\n                                                 11\n\x0c                         OFFICIAL USE ONLY \xe2\x80\x93 SECURITY RELATED INFORMATION\n                                                                   Information Security Risk Evaluation of\n                                                                                   Region II \xe2\x80\x93 Atlanta, GA\n\nROI No. 1251, Revision 1, corresponds to the four new classified units currently awaiting\nauthorization to operate. The previous version of ROI No. 1251, dated September 26, 2003,\ncorresponded to the two classified laptops currently authorized to operate. However, ROI No.\n1250.1 and 1250.2 do not correspond to either of the SGI laptop systems (the four laptops in use\nat the Region II office and the laptops recently removed from the Resident Inspector sites)\ncurrently authorized to operate.\n\n3.3.4 Impact on Region II Operations\n\nWhile Region II has followed the procedures in the NRC Laptop Security Policy for\nauthorization of its classified and SGI laptop systems, it has not followed this process for\nauthorization of the general laptop system. In addition, Region II has not kept the ROIs up-to-\ndate that correspond to the different laptop systems. As a result, Region II is not fully compliant\nwith NRC requirements for laptop systems. Without up-to-date documentation, Region II laptop\nsystems users may not be aware of their responsibilities with regard to use of these laptops,\nwhich could lead to unauthorized use of NRC resources or release of sensitive information.\n\nRECOMMENDATIONS\n\n   The Office of the Inspector General recommends that the Executive Director for Operations:\n\n   7. Establish a general laptop system and complete the process described in the NRC Laptop\n      Security Policy for authorization of the general laptop system.\n   8. Update ROI 1250.1/1250.2 to correspond to the SGI laptop systems in use at Region II\n      and currently authorized to operate.\n\n3.3.5 Regional Procedures and Instructions\n\nRegion II uses various types of procedures to implement their IT security program. These\nprocedures include standard operating procedures issues by the Division of Resource\nManagement and Administration Information Resources Branch and ROI. Standard operating\nprocedures are used to describe specific activities, such as key and keycard management and\nperforming backups. ROI are typically used to disseminate, implement, clarify, or amplify\npolicy or other information contained in other NRC documents. For example, Region II uses\nROI to communicate various aspects of the Region II security program, including personnel\nsecurity, facility security, telecommunications security, and security for sensitive, SGI, and\nclassified information.\n\nFINDING #5: Regional IT Security Program Procedures Are Not Kept Up-to-Date\n\nNRC has developed several security standard that specify the frequency of reviewing and\nupdating IT security program procedures. However, as discussed in finding 2, 3, and 4, regional\nIT security program procedures are not kept up-to-date. As a result, steps or processes could be\nskipped or forgotten if personnel responsible for a particular activity are unavailable. In\naddition, outdated procedures make it more difficult when training new personnel to handle a\nspecific activity.\n\n\n                         OFFICIAL USE ONLY \xe2\x80\x93 SECURITY RELATED INFORMATION\n                                                 12\n\x0c                         OFFICIAL USE ONLY \xe2\x80\x93 SECURITY RELATED INFORMATION\n                                                                   Information Security Risk Evaluation of\n                                                                                   Region II \xe2\x80\x93 Atlanta, GA\n\n\n\n3.3.6 Requirements for Updating Procedures\n\nCSO-STD-0020, defines the mandatory values for specific controls in the eighteen security\ncontrols families described in NIST SP 800-53. The standard requires that documented\nprocedures to facilitate the implementation of a control should be reviewed and updated\nannually. The standard also requires system owners to review system security plans at least\nannually and update them to address changes to the information system and/or environment of\noperation. CSO-STD-2001, Operating Procedures Standard, V1.1, dated April 15, 2011, states\nthat documented and periodically reviewed operational procedures and responsibilities capture\nthe requirements for secure operation of information systems and effective management and\nsupport of IT systems. This standard requires system owners to ensure operating procedures are\nreviewed and approved on a periodic basis, at least annually.\n\n3.3.7 Agency Has Not Fully Met Requirements\n\nRegion II has documented procedures to facilitate the implementation of specific IT security\ncontrols, including key management, performing backups, and security for sensitive, SGI, and\nclassified information. However, as discussed in findings 2, 3, and 4, the evaluation team found\nthat several of these procedures are not up-to-date.\n\nRegion II does not have a process for reviewing and updating procedures on a periodic basis.\nROI No. 0201, Revision 9, System of Instructions and Notices, dated March 19, 2012, describes\nthe process for issuing ROIs; however, it does not specify the frequency for which ROIs should\nbe reviewed to determine if they require updates.\n\n3.3.8 Impact on Region II Operations\n\nOutdated procedures can result in steps or processes being skipped or forgotten if personnel\nresponsible for a particular activity are unavailable. In addition, outdated procedures make it\nmore difficult when training new personnel to handle a specific activity. In the case of the\noutdated ROIs, Region II is not in compliance with NRC requirements for laptop systems.\nWithout up-to-date procedures, Region II laptop systems users may not be aware of their\nresponsibilities with regard to use of these laptops. Current procedures ensure continuity in\nperforming a specific IT security function in the event of staff turnover and are excellent for\ntraining new personnel and an excellent reference for existing personnel.\n\nRECOMMENDATION\n\n   The Office of the Inspector General recommends that the Executive Director for Operations:\n\n   9. Develop, document, and implement a procedure for reviewing and updating IT security\n      program procedures, including regional office instructions, on an annual basis.\n\n\n\n\n                         OFFICIAL USE ONLY \xe2\x80\x93 SECURITY RELATED INFORMATION\n                                                 13\n\x0cOFFICIAL USE ONLY \xe2\x80\x93 SECURITY RELATED INFORMATION\n                                          Information Security Risk Evaluation of\n                                                          Region II \xe2\x80\x93 Atlanta, GA\n\n\n\n\n         [Page intentionally left blank]\n\n\n\n\nOFFICIAL USE ONLY \xe2\x80\x93 SECURITY RELATED INFORMATION\n                        14\n\x0c                        OFFICIAL USE ONLY \xe2\x80\x93 SECURITY RELATED INFORMATION\n                                                                  Information Security Risk Evaluation of\n                                                                                  Region II \xe2\x80\x93 Atlanta, GA\n\n4      Consolidated List of Recommendations\n\nThe Office of the Inspector General recommends that the Executive Director for Operations:\n\n    1. Develop, document, and implement procedures for testing UPSs on a periodic basis.\n       Procedures should include a means to record the results of such testing.\n    2. Update key management procedures.\n\n\n\n\n    3. Develop, document, and implement combination management procedures.\n\n       a)\n\n\n       b)\n\n    4. Update backup procedures for NRC-managed servers to include procedures for\n       maintaining shadow copies to support the backup process.\n    5. Update backup procedures for seat-managed servers to include the same level of detail as\n       in the backup procedures for NRC-managed servers and procedures for maintaining a\n       monthly image of the Citrix servers on the behalf of ITI.\n    6. Update offsite backup storage procedures to include the correct references to the backup\n       procedures for seat-managed and NRC-managed servers.\n    7. Establish a general laptop system and complete the process described in the NRC Laptop\n       Security Policy for authorization of the general laptop system.\n    8. Update ROI 1250.1/1250.2 to correspond to the SGI laptop systems in use at Region II\n       and currently authorized to operate.\n    9. Develop, document, and implement a procedure for reviewing and updating IT security\n       program procedures, including regional office instructions, on an annual basis.\n\n\n\n\n                        OFFICIAL USE ONLY \xe2\x80\x93 SECURITY RELATED INFORMATION\n                                                15\n\x0cOFFICIAL USE ONLY \xe2\x80\x93 SECURITY RELATED INFORMATION\n                                          Information Security Risk Evaluation of\n                                                          Region II \xe2\x80\x93 Atlanta, GA\n\n\n\n\n         [Page intentionally left blank]\n\n\n\n\nOFFICIAL USE ONLY \xe2\x80\x93 SECURITY RELATED INFORMATION\n                        16\n\x0c                         OFFICIAL USE ONLY \xe2\x80\x93 SECURITY RELATED INFORMATION\n                                                                   Information Security Risk Evaluation of\n                                                                                   Region II \xe2\x80\x93 Atlanta, GA\n\n5      Agency Comments\n\nAt an exit conference on July 13, 2012, agency officials agreed with the findings and did not\nprovide any changes to the draft report. The agency opted not to submit formal comments.\n\n\n\n\n                         OFFICIAL USE ONLY \xe2\x80\x93 SECURITY RELATED INFORMATION\n                                                 17\n\x0cOFFICIAL USE ONLY \xe2\x80\x93 SECURITY RELATED INFORMATION\n                                          Information Security Risk Evaluation of\n                                                          Region II \xe2\x80\x93 Atlanta, GA\n\n\n\n\n         [Page intentionally left blank]\n\n\n\n\nOFFICIAL USE ONLY \xe2\x80\x93 SECURITY RELATED INFORMATION\n                        18\n\x0c                         OFFICIAL USE ONLY \xe2\x80\x93 SECURITY RELATED INFORMATION\n                                                                   Information Security Risk Evaluation of\n                                                                                   Region II \xe2\x80\x93 Atlanta, GA\n\nAppendix.         OBJECTIVES, SCOPE, AND METHODOLOGY\n\nOBJECTIVES\n\nThe objectives of the Region II information security risk evaluation were to:\n\n        Perform an independent information security risk evaluation of the NRC computer\n        security program, policies, and practices for compliance with FISMA in accordance with\n        OMB guidance and Federal regulations and guidelines as implemented at Region II.\n        Evaluate the effectiveness of agency security control techniques as implemented at\n        Region II.\n\nSCOPE\n\nThe scope of this information system security evaluation included:\n\n        The six floors Region II occupies in the Marquis One Tower, 245 Peachtree Center\n        Avenue N.E., Suite 1200, Atlanta, GA 30303-8931.\n        Region II seat-managed equipment.\n        Region II NRC-managed equipment.\n\nThe information system security evaluation did not include controls related to the management\nof safeguards or classified information.\n\nThe evaluation work was conducted during a site visit to Region II in Atlanta, GA, between July\n9, 2012, and July 13, 2012. Any information received from the agency subsequent to the\ncompletion of fieldwork was incorporated when possible. Throughout the evaluation, evaluators\nwere aware of the potential for fraud, waste, or misuse in the program.\n\nMETHODOLOGY\n\nRichard S. Carson & Associates, Inc. conducted a high-level, qualitative evaluation of NRC\ncomputer security program, policies, and practices as implemented at Region II, and evaluated\nthe effectiveness of agency security control techniques as implemented at Region II.\n\nIn conducting the information security risk evaluation, the following areas were reviewed:\nphysical and environmental security controls, logical access controls, configuration management,\ninformation system security program, and continuity of operations and recovery. Specifically,\nthe evaluation team conducted site surveys of the six floors Region II occupies in the Marquis\nOne Tower, 245 Peachtree Center Avenue N.E., Suite 1200, Atlanta, GA 30303-8931, focusing\non the areas that house IT equipment. The team conducted interviews with the Region II ISSO,\nthe seat-management server administrator, the Region II server administrator, and other Region\nII staff members responsible for implementing the agency\xe2\x80\x99s information system security program\nat Region II. The evaluation team also conducted user interviews with 15 Region II employees,\nincluding two Resident Inspectors and one teleworker. The team reviewed documentation\n\n\n                         OFFICIAL USE ONLY \xe2\x80\x93 SECURITY RELATED INFORMATION\n                                                 19\n\x0c                        OFFICIAL USE ONLY \xe2\x80\x93 SECURITY RELATED INFORMATION\n                                                                  Information Security Risk Evaluation of\n                                                                                  Region II \xe2\x80\x93 Atlanta, GA\n\nprovided by Region II including floor plans; inventories of IT systems, hardware, and software;\nlocal policies and procedures; security plans; backup procedures; contingency plans, and the\nOccupancy Emergency Plan. The information security risk evaluation also included a network\nvulnerability assessment scan of the Region II network and the Region II Resident Inspector\nsites.\n\nAll analyses were performed in accordance with guidance from the following:\n\n       NIST standards and guidelines.\n       NRC MD and Handbook 12.5, NRC Automated Information Security Program.\n       NRC Computer Security Office policies, processes, procedures, standards, and\n       guidelines.\n       NRC OIG audit guidance.\n\nThe work was conducted by Jane M. Laroussi, CISSP, CAP, GIAC ISO-17799; Virgil Isola,\nCISSP; and Joseph Rood, GWAPT, CISSP, CISA, from Richard S. Carson & Associates, Inc.\n\n\n\n\n                        OFFICIAL USE ONLY \xe2\x80\x93 SECURITY RELATED INFORMATION\n                                                20\n\x0c'